Using a Linux server with third-party L2TP/IPsec clients

Last update: Feb 26, 2008

1.1 Introduction

I have made the following webpages on using L2TP/IPsec with Linux:

The page you are now reading describes how you can use commercial clients such as SSH Sentinel and Safenet Softremote with Openswan. It assumes you are already familiar with setting up Openswan with L2TP/IPsec. If you are not, it's probably a good idea to start with reading this page (the first one in the list). It includes information on setting up the Linux side. The other pages contain specifics on several L2TP/IPsec clients which are available for Windows and Mac OS X.

1.2 Author

The author of this document is Jacco de Leeuw. Corrections, additions, extra information etc. are much appreciated.

2. Contents
3. Background information

In addition to Microsoft's clients, there are other clients that support L2TP/IPsec:

I have done tests with SSH Sentinel 1.3/1.4/1.4.1 and SafeNet SoftRemote 7.0.5/9.2.1. You can find instructions below. These clients support NAT-Traversal, as you can read here.

Back to Contents

4. L2TP discussion

The big question of course is: why would you want to use L2TP with SoftRemote or Sentinel? Both support multiple mechanisms to acquire virtual IP addresses from the internal network. For instance: DHCP, manual configuration, as well as L2TP/IPsec. I can think of a few reasons to use the latter.

Some users may prefer the Microsoft clients, mainly because they are free. Others prefer a third-party client, because the third-pary will provide support. From a system administrative point of view, L2TP/IPsec allows you to use the Microsoft clients and SoftRemote/Sentinel at the same time. You can migrate from one type of client to the other, if you want. Another reason is that L2TP supports non-IP protocols such as IPX and SNA (not tested by me). Plus, L2TP/IPsec is an official IETF standard.

Back to Contents

5. SSH Sentinel configuration

I used Sentinel 1.3 and 1.4/1.4.1 with Openswan. Other versions should work too. An exception may be SSH Sentinel v1.2 ("Internetpilot") which is free for non-commercial and educational use, but it is also old and buggy.

Note that Sentinel uses the L2TP-CERT and L2TP-PSK example Openswan configuration files, i.e. it requires leftprotoport=17/1701 and not leftprotoport=17/0 (as explained here). Sentinel supports both certificates and PSKs. Below is the procedure for certificates. PSKs are even easier to use, check the Sentinel manual if you want to use them.

If everything is OK, SSH Sentinel will briefly show a window with the text "The VPN connection established successfully".

If you don't want to send regular Internet traffic through the VPN tunnel you may want to enable split tunnelling. See this section for more details about split tunnelling and its advantages and disadvantages. On SSH Sentinel 1.4 or higher you can enable or disable split tunnelling in the 'Advanced' options.

Back to Contents

6. SafeNet SoftRemote and OEM versions

(Text and screenshots are based on version 7.0.5. Also tested was version 9.2.1 Build 2).

SoftRemote supports a large number of options. This section provides a general idea of how to configure SoftRemote. I won't discuss every option. The helpfile contains excellent instructions. Simply press F1 in SoftRemote to show the helpfile and search the index for "L2TP".

SoftRemote supports both IPsec and L2TP. On Windows 9x/ME it adds its own virtual adapter ("SafeNet VPN Adapter") which is used for both IPsec and L2TP. On Windows 2000/XP the setup is a bit different. First, SoftRemote disables Windows' built-in IPsec. Then it adds its own IPsec support to the network stack. For L2TP it relies on the built-in L2TP support of Windows 2000/XP (more about that below).

SoftRemote supports both certificates and PSKs. Here's how to import a certificate (skip this if you want a PSK):

Here's how to configure a connection for either PSK or certificate:

You have now configured the IPsec part of SoftRemote.

Setting up the L2TP part on Windows 2000/XP is very similar to setting up a dial-in connection using the native client of Windows (described here). I.e. you simply use the New Connection Wizard to create a new L2TP connection. Be sure to type in the exact same IP address of the server ( in the example above)! If you make a typo, Windows 2000/XP may set up a connection to the wrong server which is not protected by IPsec.

Under Win9x/ME the procedure is very similar to setting up a dial-in connection with the MSL2TP client (described here). The difference is that the adapter is called "SafeNet VPN Adapter" instead of "Microsoft L2TP/IPSec VPN Adapter". The SoftRemote helpfile also has instructions on how to configure the connection: simply press F1 to read the helpfile.

Back to Contents

7. Forticlient configuration

Forticlient is based on SSH Sentinel so in theory you should be able to configure it following the instructions for Sentinel. An evaluation version is available but it only supports single DES encryption (1DES). This is too weak for serious use. Openswan does not support 1DES, unless you recompile the source code and activate 1DES specifically. This makes evaluating the Fortinet client a bit cumbersome.

Back to Contents

8. Revision history

Nov 21, 2005: Added Forticlient, successor of Sentinel.
Sep 28, 2004: Sentinel does not work on XP SP2. Will not be fixed.
Jan 7, 2004:
Sentinel has been sold. Updated links.
Aug 23, 2003
: Reference to outdated Sentinel 1.2 (Internetpilot).
Jul 26, 2003: SoftRemote on Win9x/ME also works (but root cert did not show up?).
Jun 23, 2003: Added SoftRemote instructions.
Apr 23, 2003: Added report of Netscreen-Remote.
Apr 13, 2003: Could not get NAT-T to work.
Apr 7, 2003: Verified: Sentinel 1.4 can get DNS and WINS addresses automatically.
Mar 8, 2003: Tested myself, it works indeed. Added configuration information.
Dec 27, 2002: Sentinel reported to work.
Dec 15, 2002: Pages created.

Jacco de Leeuw